Dear all,

we successfully set up single sign on with client certification through an internet client. So when the user opens the browser, the server will ask for a client certificate and if the browser shows a valid one, the user is authenticated.

However, in the process to make this happen one step was to import the already existing client certificate from an external CA (in fact our own IIS based Windows CA) to the person record.

My question is about how to manage this import and ongoing renewals of the certificates (they are only valid for few months because of security restrictions) for about 3000 employees.

Obviously the solution can't be that we'd have every user to import the certificate on its own. Is there another solution I don't see at the moment? Are there any tools or API to support this if update of person record is really necessary?

Many thanks and kind regards
Jens